Thanks to Greg for this contribution
(and also to Ron and others that helped him along the way!).
I looked around and it seems that SPNEGO is supported in WebLogic Server and
WebSphere, so this will be yet another feature that can no longer be used to separate
open source from non-open source app servers;
and we have a few more in the queue that we are sure you will like!

"SPNEGO support was added to GF in the form of a pluggable server auth(entication) module that conforms to the Servlet Profile of JSR 196: Java Authentication Service Provider Interface for Containers.
Internally, the server auth module employs the Java GSSAPI interfaces (i.e., org.ietf.jgss) to access the SPNEGO mechanism provided in
Java EE 6.
The Servlet container will be performing the jgss calls (described in the example you cite) on behalf of the deployed application, and within the context of its processing of the declarative security constraints defined for the application.